Threat actors associated with The Gentleman Ransomware-as-a-Service (RaaS) operation have been observed attempting to deploy a known proxy malware named SystemBC.
According to new research published by Check Point, command-and-control (C2 or C&C) servers associated with SystemBC have discovered more than 1,570 victims of the botnet.
“SystemBC establishes a SOCKS5 network tunnel in the victim’s environment and connects to its C&C server using a custom RC4-encrypted protocol,” Check Point said. It may also download and execute additional malware, with the payload either being written to disk or injected directly into memory.
Since its emergence in July 2025, The Gentlemen has established itself as one of the most prolific ransomware groups, claiming more than 320 victims on its data breach site. Operating under a classic double-extortion model, the group is as versatile as it is sophisticated, demonstrating the ability to target Windows, Linux, NAS, and BSD systems with Go-based lockers as well as employ legitimate drivers and custom malicious tools to subvert security.
Exactly how threat actors gain initial access is unclear, although evidence suggests that Internet-facing services or compromised credentials are being misused to gain an initial foothold, followed by discovery, lateral movement, payload staging (i.e., Cobalt Strike, SystemBC, and Encryptor), defense evasion, and ransomware deployment. One notable aspect of the attacks is the misuse of Group Policy Objects (GPOs) to facilitate domain-wide compromise.
“By tailoring its strategy against specific security vendors, Gentleman has demonstrated a keen awareness of its target’s environment and a willingness to engage in intensive reconnaissance and tool modification throughout its operations,” security vendor Trend Micro said in an analysis of the group’s Tradecraft in September 2025.
Check Point’s latest findings reveal that an affiliate of The Gentlemen Ras deployed SystemBC on a compromised host, with a C2 server linked to the proxy malware, commanding hundreds of victims around the world, including the US, UK, Germany, Australia, and Romania.
While SystemBC has been used in ransomware operations as of 2020, the exact nature of the connection between the malware and The Gentleman e-Crime scheme remains unclear, such as whether it is part of the attack playbook or whether it is deployed by a specific associate for data exfiltration and remote access.
“During lateral movement, the ransomware attempts to blind Windows Defender by executing a PowerShell script on each reachable remote host that disables real-time monitoring, adds blanket exclusions to drives, staging shares and its own process, turns off the firewall, re-enables SMB1, and loosens LSA anonymous access controls before deploying and executing the ransomware binary on that host. “, Check Point said.
The ESXi variant includes fewer functionalities than the Windows variant, but is equipped to shut down virtual machines to increase attack effectiveness, adds persistence via crontab, and prevents recovery before the ransomware binary is deployed.
“Most ransomware groups make a noise when they launch and then disappear. Gentlemen is different,” Eli Smadja, group manager at Check Point Research, said in a statement shared with The Hacker News.
“They have solved the affiliate recruitment problem by offering better deals than anyone else in the criminal ecosystem. When we got inside one of their operator’s servers, we found over 1,570 compromised corporate networks that hadn’t even made the news yet. The real scale of this operation is much larger than publicly known, and it’s still growing.”
Rapid7 shed light on the inner workings of another relatively new ransomware family called Kyber, which surfaced in September 2025, which targets Windows and VMware ESXi infrastructure using encryptors developed in Rust and C++, respectively.
“The ESXi variant is built specifically for VMware environments, with capabilities like datastore encryption, optional virtual machine termination, and obfuscation of the management interface,” the cybersecurity company said. “A Windows version written in Rust includes a self-described ‘experimental’ feature to target Hyper-V.”
“Kyber ransomware is not a masterpiece of complex code, but it is highly effective in wreaking havoc. It reflects a shift toward expertise rather than sophistication.”
According to data compiled by ZeroFox, the first quarter of 2026 has seen at least 2,059 separate ransomware and digital extortion (R&DE) incidents, with at least 747 incidents occurring in March. The most active groups during this time period were Killin (338), Akira (197), The Gentlemen (192), INC Ransom and CL0P.
“Specifically, North America-based victims accounted for approximately 20 percent of The Gentleman’s attacks in Q3 2025, 2% in Q4 2025, and 13% in Q1 2026,” ZeroFox said. “This largely goes against typical regional targeting trends by other R&DE groups, at least 50 percent of whose victims are based in North America.”
Changing velocity of ransomware attacks
Cybersecurity company Halcyon revealed in its 2025 Ransomware Evolution Report that the threat is maturing into a more disciplined and business-driven criminal enterprise, even as ransomware attacks targeting the automotive industry are set to more than double in 2025, accounting for 44% of all cyber incidents across the region.
Other significant trends include attempts to obfuscate security endpoint detection and response (EDR) tools, the use of Bring Your Own Vulnerable Driver (BYOVD) attack techniques to escalate privileges and disable security solutions, obfuscating nation-state and criminal ransomware campaigns, and targeting small and medium-sized organizations and operational technology (OT) environments.
It added, “Ransomware continued to evolve as a sustainable, industrial ecosystem built on expertise, shared infrastructure and rapid regeneration rather than a single brand.” “Law enforcement pressure and infrastructure seizure disrupted key operations, leading to fragmentation, rebranding and intensified competition in a more fluid landscape.”
Ransomware operations are moving faster, with latency decreasing from days to hours. About 69% of observed attack attempts were found to be deliberately made during nights and weekends to outwit the defenders’ reaction.
For example, attacks involving the Akira ransomware have demonstrated an unusual swiftness, in some cases rapidly progressing from entry level to full encryption within an hour without detection, highlighting a well-oiled attack engine designed to maximize impact.
Halcyon said, “Akira’s combination of rapid compromise capabilities, disciplined operational speed, and investment in reliable decryption infrastructure sets it apart from many ransomware operators.” “Defenders should treat Akira not as an opportunistic threat, but as a capable, persistent adversary who will exploit every available weakness to reach his objective.”
